rosa/hakurei
6
3
Fork 2
Code Issues 10 Pull Requests 2 Actions 2 Packages Projects Releases 15 Wiki Activity

15 Releases 15 Tags

RSS Feed
  • v0.3.3 8cb0b433b2
    Compare

    v0.3.3
    All checks were successful
    Release / Create release (push) Successful in 42s
    Details
    Test / Sandbox (push) Successful in 43s
    Details
    Test / Hakurei (push) Successful in 3m2s
    Details
    Test / Create distribution (push) Successful in 27s
    Details
    Test / Hpkg (push) Successful in 3m57s
    Details
    Test / Sandbox (race detector) (push) Successful in 4m41s
    Details
    Test / Hakurei (race detector) (push) Successful in 5m0s
    Details
    Test / Flake checks (push) Successful in 1m43s
    Details
    Stable

    cat released this 2025-12-15 20:34:45 +09:00 | 528 commits to master since this release

    Security

    This release mitigates vulnerabilities in PipeWire SecurityContext. It is highly recommended to upgrade to this release as soon as possible.

    The SecurityContext machinery is fatally flawed, it blindly sets read and execute bits on all objects for clients with the lowest achievable privilege level (by setting PW_KEY_ACCESS to "restricted"). This enables them to call any method targeting any object, and since Registry::Destroy checks for the read and execute bit, allows the destruction of any object other than PW_ID_CORE as well. This behaviour is implemented separately in media-session and wireplumber, with the wireplumber implementation in Lua via an embedded Lua vm. In all known setups, wireplumber is in use, and there is no known way to change its behaviour and set permissions differently without replacing the Lua script. Also, since PipeWire relies on these permissions to work, reducing them is not possible.

    Currently, the only other sandboxed use case is flatpak, which is not aware of PipeWire and blindly exposes the bare PulseAudio socket to the container (behaves like DirectPulse). This socket is backed by the pipewire-pulse compatibility daemon, which obtains client pid via the SO_PEERCRED option. The PipeWire daemon, pipewire-pulse daemon and the session manager daemon then separately performs the /.flatpak-info hack described in #21. Under such use case, since the client has no direct access to PipeWire, insecure parts of the protocol are obscured by pipewire-pulse simply not implementing them, and thus hiding the flaws described above.

    Hakurei does not rely on the /.flatpak-info hack. Instead, a socket is sets up via SecurityContext. A pipewire-pulse server connected through it achieves the same permissions as flatpak does via the /.flatpak-info hack and is maintained for the life of the container.

    As of this release, upstream has not responded to the ticket regarding these flaws, and it is highly unlikely that a fix is possible without breaking the entire protocol.

    Fixes

    • Implement all reachable events in internal/pipewire.
    • Treat unknown opcodes as fatal in internal/pipewire.
    • Treat invalid proxy acknowledgement as fatal in internal/pipewire.
    • Correctly handle nil values in POD format in internal/pipewire.

    Enhancements

    • Package internal/pipewire now handles directed Core::Error events as part of the exported methods.
    • The error string for an unsupported type error is used as the error message directly, which cleans up the resulting output.

    Internal

    • Distribution tarballs are now built using newer versions of compiler and libraries.
    • Implement local and remote object destruction in internal/pipewire.
    • Move Core methods under the Core type in internal/pipewire.
    • Synchronise stubbed wait4 loop after call to notify in container.
    • Shim now supports an optional private working directory.

    Full Changelog: v0.3.2...v0.3.3

    Downloads